Fix pepper string var leaks for M17.

I had to do a manual merge because message_channel.cc has changed too much for drover to handle.

Original/trunk CL: http://codereview.chromium.org/8982006
BUG=108308,108314
TEST=
Review URL: http://codereview.chromium.org/9016044

git-svn-id: svn://svn.chromium.org/chrome/branches/963/src@115844 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 12 insertions, 0 deletions

diff --git a/ppapi/native_client/src/shared/ppapi_proxy/browser_ppb_messaging_rpc_server.cc b/ppapi/native_client/src/shared/ppapi_proxy/browser_ppb_messaging_rpc_server.cc
index 062bb5b..0676b16 100644
--- a/ppapi/native_client/src/shared/ppapi_proxy/browser_ppb_messaging_rpc_server.cc
+++ b/ppapi/native_client/src/shared/ppapi_proxy/browser_ppb_messaging_rpc_server.cc
@@ -13,6 +13,7 @@
 #endif
 
 using ppapi_proxy::PPBMessagingInterface;
+using ppapi_proxy::PPBVarInterface;
 using ppapi_proxy::DebugPrintf;
 using ppapi_proxy::DeserializeTo;
 
@@ -30,6 +31,11 @@ void PpbMessagingRpcServer::PPB_Messaging_PostMessage(
     return;
 
   PPBMessagingInterface()->PostMessage(instance, message);
+
+  // In the case of a string, DeserializeTo creates a PP_Var with a reference-
+  // count of 1. We must release the var, or it will stay in the browser's map.
+  PPBVarInterface()->Release(message);
+
   DebugPrintf("PPB_Messaging::PostMessage: instance=%"NACL_PRIu32"\n",
               instance);
 
diff --git a/ppapi/proxy/plugin_var_serialization_rules.cc b/ppapi/proxy/plugin_var_serialization_rules.cc
index 3d9975a..520e942 100644
--- a/ppapi/proxy/plugin_var_serialization_rules.cc
+++ b/ppapi/proxy/plugin_var_serialization_rules.cc
@@ -136,6 +136,8 @@ void PluginVarSerializationRules::EndSendPassRef(const PP_Var& var,
   if (var.type == PP_VARTYPE_OBJECT) {
     var_tracker_->ReleaseHostObject(
         static_cast<PluginDispatcher*>(dispatcher), var);
+  } else if (var.type == PP_VARTYPE_STRING) {
+    var_tracker_->ReleaseVar(var);
   }
 }
 
diff --git a/webkit/plugins/ppapi/message_channel.cc b/webkit/plugins/ppapi/message_channel.cc
index 4e9e82883..be44c6e 100644
--- a/webkit/plugins/ppapi/message_channel.cc
+++ b/webkit/plugins/ppapi/message_channel.cc
@@ -10,7 +10,9 @@
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
+#include "ppapi/shared_impl/ppapi_globals.h"
 #include "ppapi/shared_impl/var.h"
+#include "ppapi/shared_impl/var_tracker.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebBindings.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDocument.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDOMMessageEvent.h"
@@ -23,6 +25,7 @@
 #include "webkit/plugins/ppapi/npapi_glue.h"
 #include "webkit/plugins/ppapi/ppapi_plugin_instance.h"
 
+using ppapi::PpapiGlobals;
 using ppapi::StringVar;
 using WebKit::WebBindings;
 using WebKit::WebElement;
@@ -159,6 +162,7 @@ bool MessageChannelInvoke(NPObject* np_obj, NPIdentifier name,
     MessageChannel& message_channel(ToMessageChannel(np_obj));
     PP_Var argument(NPVariantToPPVar(message_channel.instance(), &args[0]));
     message_channel.PostMessageToNative(argument);
+    PpapiGlobals::Get()->GetVarTracker()->ReleaseVar(argument);
     return true;
   }
   // Other method calls we will pass to the passthrough object, if we have one.